Bug#310633: exim4-daemon-heavy: av_scanner permission error w ith clamav

Marc Haber Marc Haber <mh+debian-packages@zugschlus.de>, 310633@bugs.debian.org
Mon, 30 May 2005 19:40:30 +0200 

Hi,

basically, I tend to agree with Adam.

On Thu, May 26, 2005 at 01:09:44PM -0600, Tom.Morgan@denverseminary.edu wrote:
> Thanks for mentioning #250335.  I've read it and I see that the
> documentation to deal with this issue does exist.  However, in the name of
> ease of use and accessibility to people, it seems to me that it still would
> be useful to attempt to address the issue at the installer level.  

It would be useful, but exceptionally hard and error-prone from a
packaging level.

> While dealing with it inside the clamav-daemon package seems out of place
> because of the variety of potential uses of that package, including it
> inside exim4-daemon-heavy (because of the exican-acl code) might make more
> sense.

Having exim4-daemon deal with clamav/mailscanner issues seems out of
place as well because of the variety of potential uses of that
package. Mail being one of the most central internet services,
frankly, I think that exim has many more potential uses than clamav
which is a quite specialized program.

> It also helps negotiate the ownership of the the passwd record.
> That is, it's less awkward to add the clamav group to the Debian-exim user
> by an exim package than by the clamav package.

I do not think that it is right to add Debian-exim to the clamav group
by default. To make things worse, this addition needs to be done by
both packages, because it is not predictable which package gets
installed first. It would be a debugging nightmare to have Debian-exim
not in the clamav group just because clamav was installed a few weeks
after exim.

> I would guess that the liklihood of using clamav with -heavy is reasonably
> high

No. I am extremely reluctant of doing local adaptions for other
package since the packages that could demand similiar treatment are
surely in the range of a few hundred packages.

> and that adding the clamav group to the Debian-exim user, by -heavy,
> would be useful.  Is the risk of blindly adding that group membership
> substantial?  Changing the permissions of /var/spool/exim4/scan to include
> group-write seems like something that could (and I would argue should) be
> done easily without any additional consequence.

That is, in my opinion, the job of the local sysadmin, or a dedicated
exim4-clamav-Package, which I am not going to maintain.

> Alternatively, it could be a debconf option by -heavy or by clamav-daemon,
> but that would seem less likely to be helpful based on variance in install
> order sequence and/or install times, such asadding clamav-daemon or
> upgrading to -heavy, either at a later date.

exim4's Debconf configuration is already complicated enough. I don't
think that every detail of E-Mail should/could be configurable via
debconf.

> I know some packages also display an info page through debconf (or email it
> to root).

That practice is widely regarded as Debconf abuse, since the real
place for getting news through to the local admin is NEWS.Debian.

> Perhaps at least presenting this issue through that mechanism
> would raise awareness and be able to point to the documentation with
> information to fix it.

People should read the documentation without having it hurled at them.
Having a dedicated "READ the docs" Debconf warning will suggest adding
those warning to each and every package, which will cause people to
dismiss Debconf messages without even reading them. Then, requests for
measures to make important Debconf messages more prominent will pop
up, to be repeated ad libitum. If people want to be stupid by not
reading available docs, I am not in a position to change that.

> Again, I would suggest that be added to the MTA(s)
> affected.  

Sorry, that request is going to be denied if you don't come up with a
little more arguments why mailscanner/clamav is more important than,
for example, mailman, request-tracker, nagios, courier or dovecot.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835